IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

UK contact-tracing app has multiple serious security flaws

Experts warn that weaknesses in the NHS app could allow attackers to steal encryption keys

The UK’s coronavirus contact-tracing app has been found to have wide-ranging security flaws while the system is being trialled on the Isle of Wight

Independent security and privacy consultant Dr Chris Culnane and Thinking Cybersecurity CEO Vanessa Teague have found that the recently-delayed NHSX contact-tracing app is rife with "varied" security problems that pose a threat to user privacy. 

Weaknesses in the app registration process could allow attackers to steal encryption keys, for example, while the storing of unencrypted data on handsets could potentially be used by law enforcement agencies to determine when two or more people met. 

They also found that the app was generating a new random ID code for users once a day, as opposed 15 minutes in the case of Apple and Google's API, which the researchers warn could pose risks to users' personal safety. 

Culnane and Teague explain that “when someone self-diagnoses and uploads their logs, access to just the encrypted BroadcastValues that they have received risks revealing a number of lifestyle attributes about the uploader.

“For example, by comparing the BroadcastValues recorded on the device between 3 am and 5 am, and subsequently between 11 pm and midnight, the viewer will be able to determine whether the uploader woke up and went to bed with the same person, or more revealingly, if they did not.”

“One example of such would be if an abusive partner wants to monitor their spouse’s interactions. At the very least they will be able to interrogate their spouse about the details of every interaction. In a worse case, if they suspect the spouse of meeting with someone they do not want, they need only get within range of that person briefly on the same day to record the BroadcastValue themselves and subsequently cross-reference it with those recorded on their spouse’s device.”

Culnane and Teague, who are in favour of the decentralised API model which was snubbed by the UK in late April, informed the National Cyber Security Centre (NCSC) of the risks on 12 May. 

"It was always hoped that measures such as releasing the code and explaining decisions behind the app would generate meaningful discussion with the security and privacy community," an NCSC spokesperson said in a statement. "We look forward to continuing to work with security and cryptography researchers to make the app the best it can be."

News of these security flaws comes as it was revealed that the outsourcing company Serco, responsible for training staff to trace cases of the coronavirus for the UK government, had accidentally shared the email addresses of almost 300 contact tracers.

The error was made when a Serco employee accidentally pasted the email addresses into the CC field instead of BCC. The company has issued an apology, vowing "to make sure that this does not happen again".

According to health secretary Matt Hancock, the UK government has hired 21,000 contact tracers, of which some are healthcare professionals.

Featured Resources

Activation playbook: Deliver data that powers impactful, game-changing campaigns

Bringing together data and technology to drive better business outcomes

Free Download

In unpredictable times, a data strategy is key

Data processes are crucial to guide decisions and drive business growth

Free Download

Achieving resiliency with Everything-as-a-Service (XAAS)

Transforming the enterprise IT landscape

Free Download

What is contextual analytics?

Creating more customer value in HR software applications

Free Download

Most Popular

Europe's first autonomous petrol station opens in Lisbon
automation

Europe's first autonomous petrol station opens in Lisbon

23 May 2022
Nvidia pauses hiring to help cope with inflation
Careers & training

Nvidia pauses hiring to help cope with inflation

23 May 2022
Windows 11's nifty new search feature has one major downside
Microsoft Windows

Windows 11's nifty new search feature has one major downside

23 May 2022